Thieves steal $45million in massive ATM heist across 27 countries

In one of the biggest cyber crimes in recent times, $45million was stolen from banks across 27 countries without any human being physically entering any bank.

Federal prosecutors in New York announced on Thursday that police had arrested seven suspects in one of the biggest bank heists in history — and none of the hundreds of people involved in 27 countries used a gun or bomb threat, or even set foot inside a bank lobby. U.S. Attorney Loretta Lynch compared the sophisticated, “surgical” heist — which netted $45 million in two separate operations — to the casino-theft movie Ocean’s Eleven

The network of hackers and street criminals “participated in a massive 21st century bank heist that reached across the internet and stretched around the globe,” Lynch said at a news conference. The plot sounds ready-made for Hollywood. To give a sense of the scope of this operation, here are some key numbers:

$45 million
Amount stolen in a matter of hours in two ATM-withdrawal sprees, on Dec. 22, 2012, and Feb. 19-20, 2013

40,500
Total ATM withdrawals

27
Countries where ATMs were raided in the two operations

17
Prepaid credit card accounts used in the heist, five in December and 12 in February

$2.8 million
Amount stolen from Manhattan ATMs, including $2.4 million on Feb. 19-20

2,904
ATM withdrawals over the 10-hour spree in Manhattan on Feb. 19-20

How did several hundred people manage to pull off a huge bank heist without anyone noticing? The Justice Department says the thieves used what the cyber-criminal underground calls “Unlimited Operations.” This is how it works, according to federal prosecutors:

The “Unlimited Operation” begins when the cyber-crime organization hacks into the computer systems of a credit card processor, compromises prepaid debit card accounts, and essentially eliminates the withdrawal limits and account balances of those accounts. The elimination of withdrawal limits enables the participants to withdraw literally unlimited amounts of cash until the operation is shut down…. These attacks rely upon both highly sophisticated hackers and organized criminal cells whose role is to withdraw the cash as quickly as possible….

First, over the course of months, the hackers plan and execute sophisticated cyber intrusions to gain unauthorized access to the computer networks of credit card processors that are responsible for processing prepaid debit card transactions. They target databases of prepaid debit cards, which are typically loaded with finite funds; such cards are used by many employers in lieu of paychecks and by charitable organizations to distribute disaster assistance…. Next, the cybercrime organization cashes in, by distributing the hacked prepaid debit card numbers to trusted associates around the world…. These associates operate cells or teams of “cashers,” who encode magnetic stripe cards, such as gift cards, with the compromised card data. When the cybercrime organization distributes the personal identification numbers (PINs) for the hacked accounts, the casher cells spring into action, immediately withdrawing cash from ATMs across the globe.

The hacker-masterminds watched the ATM withdrawals on their computers, so they wouldn’t get cheated out of their share — the eight-member New York cell kept 20 percent of their haul, Lynch said, and sent the rest to the heist organizers. Then the “cashers” laundered the money, in part by buying Rolex watches and luxury cars.

The feds didn’t provide much information about the international investigation into the global heist, or say how many people have been arrested in other countries. And they didn’t drop any clues as to who organized the operation, other than saying that an email links the New York cell to a money-laundering gang in St. Petersburg, Russia. But the New York group appears to have been caught at least partly through old fashioned police work, mixed with a dash of modern hubris: The thieves were photographed by multiple ATMs, their backpacks getting visibly heavier at each stop, and some posted photos of themselves with wads of cash.

Here’s where things get really dramatic: The New York cell was made up of eight Dominican-Americans living in Yonkers. The first member was arrested March 27, trying to flee to the Dominican Republic, and the last two were picked up on Wednesday. The alleged ringleader, Alberto Yusi Lajud-Peña, wasn’t arrested because he’s dead. The New York Times explains:

Lajud-Peña fled the United States just as the authorities were starting to make arrests of members of his crew, the law enforcement official said. On April 27, according to news reports from the Dominican Republic, two hooded gunmen stormed a house where he was playing dominoes and began shooting. A manila envelope containing about $100,000 in cash remained untouched. (Yahoo!)

No Nigerian has been named so far, and hopefully we’ll be able to clear our name from the list of cyber-frauds